Malware authors have been using the Windows Task Scheduler (or AT.exe jobs) to victimize hosts for at least a decade, but the Stuxnet worm seems to have ushered in a renaissance. Recent Zlob variants have made frequent use of Task Scheduler; the widespread click-fraud Trojan Bamital drew on Task Scheduler as well.
Stuxnet exploited Task Scheduler in a way that was previously unknown -- it was a true zero-day attack. But malware doesn't have to get too fancy to put Task Scheduler to ill use. For example, malware will often create a task that looks for certain preconditions to launch, downloads new malicious code on a schedule, or uses scheduled tasks as a way to always remain in memory. I've seen malware hunters struggle to find out how the malicious code "keeps re-infecting their clean system." Answer: Check the Task Scheduler.
[ Download Roger Grimes's new "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
Unfortunately, I'm finding more and more examples of new malware and even APT-style attacks that are abusing Task Scheduler and AT.exe, and they are being sneaky about it. Now is a good time for all of us to check the Task Scheduler.
Know your Windows Task Scheduler
Between current and older versions of Windows, there are three different utilities for scheduling tasks. Here's a quick recap of their differences. The early precursor to Windows Task Scheduler, AT.exe, only worked at the command line. Schtasks.exe was added in Windows XP and Windows Server 2003 as a replacement for AT.exe, but AT.exe was still included for backward compatibility. The Windows Task Scheduler is a more functional GUI application that has been around, in one form or another, since Windows 95 Plus Pack. All three tools rely upon the Task Scheduler service.
All three task-scheduling tools can work locally or remotely against other hosts. When used remotely, AT.exe uses Remote Procedure Calls (RPC) within Server Message Blocks (SMB) packets. Schtasks and Windows Task Scheduler use native RPC and skip the SMB inclusion. When used remotely, the targeted host's Task Scheduler service handles the heavy work of creating, scheduling, and running the job. The older versions of these tools require that the task administrator be a privileged user, but tasks not requiring elevation can be created by regular user accounts.
Scheduled tasks are implemented as individual files. Each task is named according to a system-unique Security Identifier Description (or SID) or given a user- or system-supplied name. Tasks are stored in
%Windir%\System32\Tasks by default, and may have .job extensions. The .job files are binary, but they can be decoded (more on that below). In Windows Vista, Windows 7, and Windows Server 2008, the new task files are XML and easily readable.